Legal claims defining the scope of protection, as filed with the USPTO.
1. A computing system with an embedded network security perimeter that incorporates capabilities to secure external network communications comprising: a computer system based on an Advanced RISC (Reduced Instruction Set Computer) Machines (ARM) processor with integrated Security Extensions; an embedded network security perimeter running in a Trusted Execution Environment (TEE) on the ARM processor with dedicated memory and storage; and an Operating System (OS) running in a Rich OS Execution Environment on the ARM processor with a dedicated memory and a storage for the OS; wherein the TEE and Rich OS Execution Environment are hardware isolated from each other using the integrated security extensions, wherein only the embedded network security perimeter has an access to a physical network interface, wherein all network traffic from the Rich OS to external networks goes through security checks and transformations performed by the embedded network security perimeter in the TEE, wherein the embedded network security perimeter is controlled by a management service, wherein the management service uses a security policy as a primary source of configuration data, and wherein the security is protected using an encryption signature for decryption and a digital signature of the security policy is accessible only from the TEE.
2. The computing system as claimed in claim 1 wherein the embedded network security perimeter comprises a network firewall and a VPN gateway, wherein: the management service uses an additional input data from a device controlled by the TEE, and the security policy comprises one or more a local security policy or a remote security policy.
3. The computing system as claimed in claim 1 wherein the TEE performs access control of the storage, other devices and external interfaces.
4. The computing system as claimed in claim 1 where data exchange between the TEE and a Normal world is performed using one or more of a System Memory Controller (SMC), an Interrupt Request (IRQ), or a First Interrupt Request (FIQ).
5. A computing system comprising: a physical network interface; a security policy for the physical network interface; a processor comprising: a Trusted Execution Environment (TEE) comprising an embedded network security perimeter to secure the physical network interface, integrated Security Extensions, and a Rich Operating System (OS) Execution Environment to request network traffic to and from the physical network interface; and a management service to control the embedded network security perimeter, wherein the TEE and the Rich OS Execution Environment are hardware isolated from each other using the integrated security extensions, the management service uses the security policy as a primary source of configuration data, the embedded network security perimeter in the TEE performs security checks and transformations on the network traffic, and wherein the security is protected using an encryption signature for decryption and a digital signature of the security policy is accessible only from the TEE.
6. The computing system of claim 5 , wherein in the Rich OS Execution Environment is running an OS with a dedicated memory and a storage, and the OS requests the network traffic to and from the physical network interface.
7. The computing system of claim 5 , wherein the embedded network security perimeter comprises one or more of a network firewall or a VPN gateway.
8. The computing system of claim 5 , wherein the management service uses an additional input data from a device controlled by the TEE.
9. The computing system of claim 5 , wherein the security policy comprises one or more a local security policy or a remote security policy.
10. The computing system of claim 5 , further comprising a storage and an external interface, wherein the TEE performs access control of the storage and the external interface.
11. The computing system of claim 5 , wherein a data exchange between the TEE and an outside of the TEE uses one or more of a System Memory Controller (SMC), an Interrupt Request (IRQ), or a First Interrupt Request (FIQ).
12. The computing system of claim 5 , wherein the security policy grants the TEE access to the physical network interface.
13. The computing system of claim 12 , wherein the security policy prevents the Rich OS from accessing the physical network interface, and the TEE provides the Rich OS with authorized access to the physical network device.
14. The computing system of claim 5 , wherein the security policy denies prevents the Rich OS from accessing the physical network interface.
Unknown
April 2, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.